Clarification on sub claim

[MidasLamb]

From what I can tell from the code, it seems that the sub claim returned by dex is a combination of both the sub claim returned by the external idp and the name of the connection that is configured.
Is this correct? I'm currently evaluating if I can base an entire authZ setup around the fact that the sub claim inside the id token returned from dex uniquely identifies someone, and my concern is that if one of the configured oidc's becomes compromised, that they could craft token where the sub matches the sub provided by another oidc, allowing them to impersonate them.

Thanks in advance!

[nabokihms]

Hello, @MidasLamb. As you've mentioned, a sub claim in Dex token consists of two things: one is a unique id provided by an external oidc provider, and the second is a unique id from the Dex config, which identifies an external provider. Frauds still need access to reconfigure a Dex instance to impersonate a user from another oidc provider.

Note: sub claim returned by Dex is not a plain text string encoded in base64, yet a protobuf serialized string with two fields.